linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Arvind Sankar <nivedita@alum.mit.edu>
To: Eric Biggers <ebiggers@kernel.org>
Cc: Arvind Sankar <nivedita@alum.mit.edu>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
	David Laight <David.Laight@aculab.com>,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 2/6] crypto: lib/sha256 - Don't clear temporary variables
Date: Thu, 22 Oct 2020 23:17:57 -0400	[thread overview]
Message-ID: <20201023031757.GB135789@rani.riverdale.lan> (raw)
In-Reply-To: <20201022045850.GE857@sol.localdomain>

On Wed, Oct 21, 2020 at 09:58:50PM -0700, Eric Biggers wrote:
> On Tue, Oct 20, 2020 at 04:39:53PM -0400, Arvind Sankar wrote:
> > The assignments to clear a through h and t1/t2 are optimized out by the
> > compiler because they are unused after the assignments.
> > 
> > These variables shouldn't be very sensitive: t1/t2 can be calculated
> > from a through h, so they don't reveal any additional information.
> > Knowing a through h is equivalent to knowing one 64-byte block's SHA256
> > hash (with non-standard initial value) which, assuming SHA256 is secure,
> > doesn't reveal any information about the input.
> > 
> > Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
> 
> I don't entirely buy the second paragraph.  It could be the case that the input
> is less than or equal to one SHA-256 block (64 bytes), in which case leaking
> 'a' through 'h' would reveal the final SHA-256 hash if the input length is
> known.  And note that callers might consider either the input, the resulting
> hash, or both to be sensitive information -- it depends.

The "non-standard initial value" was just parenthetical -- my thinking
was that revealing the hash, whether the real SHA hash or an
intermediate one starting at some other initial value, shouldn't reveal
the input; not that you get any additional security from being an
intermediate block. But if the hash itself could be sensitive, yeah then
a-h are sensitive anyway.

> 
> > ---
> >  lib/crypto/sha256.c | 1 -
> >  1 file changed, 1 deletion(-)
> > 
> > diff --git a/lib/crypto/sha256.c b/lib/crypto/sha256.c
> > index d43bc39ab05e..099cd11f83c1 100644
> > --- a/lib/crypto/sha256.c
> > +++ b/lib/crypto/sha256.c
> > @@ -202,7 +202,6 @@ static void sha256_transform(u32 *state, const u8 *input)
> >  	state[4] += e; state[5] += f; state[6] += g; state[7] += h;
> >  
> >  	/* clear any sensitive info... */
> > -	a = b = c = d = e = f = g = h = t1 = t2 = 0;
> >  	memzero_explicit(W, 64 * sizeof(u32));
> >  }
> 
> Your change itself is fine, though.  As you mentioned, these assignments get
> optimized out, so they weren't accomplishing anything.
> 
> The fact is, there just isn't any way to guarantee in C code that all sensitive
> variables get cleared.
> 
> So we shouldn't (and generally don't) bother trying to clear individual u32's,
> ints, etc. like this, but rather only structs and arrays, as clearing those is
> more likely to work as intended.
> 
> - Eric

Ok, I'll just drop the second paragraph from the commit message then.

  reply	other threads:[~2020-10-23  3:18 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-20 20:39 [PATCH v2 0/6] crypto: lib/sha256 - cleanup/optimization Arvind Sankar
2020-10-20 20:39 ` [PATCH v2 1/6] crypto: Use memzero_explicit() for clearing state Arvind Sankar
2020-10-22  4:36   ` Eric Biggers
2020-10-23 15:39     ` Arvind Sankar
2020-10-23 15:56       ` Eric Biggers
2020-10-23 20:45         ` Herbert Xu
2020-10-23 21:53           ` Eric Biggers
2020-10-29  7:00             ` Herbert Xu
2020-10-20 20:39 ` [PATCH v2 2/6] crypto: lib/sha256 - Don't clear temporary variables Arvind Sankar
2020-10-22  4:58   ` Eric Biggers
2020-10-23  3:17     ` Arvind Sankar [this message]
2020-10-20 20:39 ` [PATCH v2 3/6] crypto: lib/sha256 - Clear W[] in sha256_update() instead of sha256_transform() Arvind Sankar
2020-10-22  4:59   ` Eric Biggers
2020-10-20 20:39 ` [PATCH v2 4/6] crypto: lib/sha256 - Unroll SHA256 loop 8 times intead of 64 Arvind Sankar
2020-10-22  5:02   ` Eric Biggers
2020-10-23  3:12     ` Arvind Sankar
2020-10-23  3:16       ` Herbert Xu
2020-10-20 20:39 ` [PATCH v2 5/6] crypto: lib/sha256 - Unroll LOAD and BLEND loops Arvind Sankar
2020-10-22  5:02   ` Eric Biggers
2020-10-20 20:39 ` [PATCH v2 6/6] crypto: lib/sha - Combine round constants and message schedule Arvind Sankar
2020-10-20 21:36   ` David Laight
2020-10-21 15:16     ` Arvind Sankar
2020-10-22  4:34   ` Eric Biggers
2020-10-22  8:20     ` David Laight

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201023031757.GB135789@rani.riverdale.lan \
    --to=nivedita@alum.mit.edu \
    --cc=David.Laight@aculab.com \
    --cc=davem@davemloft.net \
    --cc=ebiggers@kernel.org \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).